#active-directory · 8sync News

From Code to Coverage (Part 6): What netlogon.log Sees That Event 1644 Never Will

A deep technical investigation into ldapnomnom, a tool that claims to generate no Windows audit logs while brute-forcing Active Directory usernames via LDAP Ping (cLDAP). Source code analysis reveals the tool actually uses TCP (not UDP), making it detectable via Event 5156 from the Windows Filtering Platform. The post explains why Event 1644 structurally cannot log LDAP Ping traffic (it bypasses the LDAP engine entirely, routing to netlogon.dll instead), while netlogon.log with debug logging captures every queried username. A key defender advantage: netlogon.log distinguishes disabled accounts from nonexistent ones, while attackers see identical responses for both. True UDP cLDAP (demonstrated with a custom cldap_ping.py) does evade Event 5156 but still appears in netlogon.log without source IP attribution. Microsoft Defender for Identity (MDI external ID 2437) can detect both TCP and UDP variants via packet capture but is threshold-based and bypassable with throttling. The recommended detection approach correlates netlogon.log usernames with Event 5156 source IPs using a 5-second timestamp window.

FortiBleed Targeted FortiGate Firewalls in 110 Million-Credential Harvesting Operation

A large-scale credential-harvesting campaign dubbed FortiBleed, attributed to a Russian-speaking initial access broker, has been targeting FortiGate firewalls since February 2026. The operation compromised over 430,000 devices globally using a Golang-based tool called FortigateSniffer, which abuses FortiOS's built-in diagnostic packet-sniffing capability to passively capture authentication traffic across 24 protocols. Over 110 million credentials were identified, including RADIUS credentials, NTLM hashes, Kerberos hashes, and MySQL tokens. Attackers then cracked and reused these credentials against Active Directory domains and other services. SMBs and IT service providers were primary targets. The campaign also extended to Synology NAS, Sophos firewalls, Citrix SSL-VPNs, and Microsoft SQL Server systems. CISOs are advised to rotate credentials, harden internet-facing access, enforce MFA, and hunt for signs of packet sniffing and lateral movement.

Inside FortiBleed: Reverse Engineering the CyberStrike Harvester Behind a Global FortiGate Credential Factory

Arctic Wolf Labs reverse-engineered the CyberStrike Harvester v1.5 binary (a Go-based Linux ELF) used in the FortiBleed campaign — a large-scale credential compromise operation targeting internet-facing Fortinet FortiGate firewalls across 194 countries. The campaign operates as a closed-loop credential pipeline: credential stuffing and password spraying gain initial access, FortiGate configurations and traffic captures are exported, the CyberStrike Harvester parses pcap/pcapng/FortiGate text to extract NetNTLM, Kerberos, cookies, and cleartext credentials, a Telegram-bot-orchestrated Hashcat/Hashtopolis GPU cluster cracks hashes, and Impacket-based tools then perform AD enumeration, SMB validation, and DFS file-share exfiltration (one logged run collected 121 GB). The operators prioritize targets by revenue and geography. Attribution remains low-confidence Russian-speaking based on tool branding, an operator handle, and Russian-language UI strings. Remediation requires immediate session termination, credential rotation, MFA enforcement, and specific FortiOS password-policy steps to eliminate legacy SHA-256 hashes from configuration exports.